Prevent device tracking by untrusted access points ================================================== .. warning:: This guide is deprecated. It does not currently work due to https://tracker.pureos.net/T775 Overview -------- Untrusted access points (e.g. your free coffee shop wifi) can recognise and track your device using your device-specific MAC address. The following procedure will cycle your MAC address by default, preventing device tracking by arbitrary access points. It will also demonstrate how to declare a stable MAC address for trusted access points (e.g. your office ethernet). This is used, for example, by a trustworthy syadmin to assign you a permanent IP address. This technique is sometimes called "MAC address spoofing". Procedure --------- #. Install macchanger. When prompted, answer "Yes" to cycle your MAC address. .. code-block:: bash sudo apt install macchanger #. List all known connections .. code-block:: bash nmcli connection show #. Enable a stable address for trusted connection (replace "Office Wi-Fi" with the name of the trusted connection). .. code-block:: bash nmcli connection modify "Office Wi-Fi" \ wifi.cloned-mac-address stable #. Repeat the previous step for all trusted connections. #. Make a connection #. List all known connections and note the Device of the active connection .. code-block:: bash nmcli connection show #. Confirm that your "current" and "permanent" MAC addresses are different (replace DEVICE with the value from step 6) .. code-block:: bash macchanger --show DEVICE # for example, macchanger --show wlp1s0 Notes ----- #. ``macchanger`` runs with the ``--ending`` setting, so vendor bytes remain the same #. For trusted connections a third, stable address will be used. This can be confirmed in Network Settings under the "Identity" tab. The "Cloned address" field will show "stable". Use the following command to find out the MAC address (replace "CONNECTION NAME" with the connection name): .. code-block:: bash nmcli connection show nmcli connection show "CONNECTION NAME" | grep mac-address #. Tested with the following versions: * ``macchanger-1.7.0-5.4`` * ``network-manager-1.14.6-2`` Alternate configuration ----------------------- Alternatively you can trust all access points, and cycle your MAC address only for untrusted access points. In this case you don't need to install ``macchanger``, just use the following command (replace "CONNECTION NAME" with the connection name): .. code-block:: bash nmcli connection modify "CONNECTION NAME" wifi.cloned-mac-address random .. seealso:: * https://perot.me/mac-spoofing-what-why-how-and-something-about-coffee * https://packages.debian.org/stable/macchanger * https://blogs.gnome.org/thaller/2016/08/26/mac-address-spoofing-in-networkmanager-1-4-0/